[PATCH] security: apparmor: Remove hardcoded "libvirtd" profile name
The apparmor driver probe function checks for an active profile matching the full path of the running daemon binary. If not found, it checks for a profile named "libvirtd". This works fine when the running daemon is the old monolithic libvirtd, but fails with modular daemons. Remove the check for a hardcoded "libvirtd" profile and replace with the basename of the running daemon binary. Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/security_apparmor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index c8e77c6cd2..eed0f265d6 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -239,7 +239,9 @@ use_apparmor(void) */ rc = profile_status(libvirt_daemon, 1); if (rc < 0) { - rc = profile_status("libvirtd", 1); + g_autofree char *basename = g_path_get_basename(libvirt_daemon); + + rc = profile_status(basename, 1); /* Error or unconfined should all result in -1 */ if (rc < 0) rc = -1; -- 2.43.0
On Mon, Jan 06, 2025 at 01:30:45PM -0700, Jim Fehlig via Devel wrote:
The apparmor driver probe function checks for an active profile matching the full path of the running daemon binary. If not found, it checks for a profile named "libvirtd". This works fine when the running daemon is the old monolithic libvirtd, but fails with modular daemons.
Remove the check for a hardcoded "libvirtd" profile and replace with the basename of the running daemon binary.
Signed-off-by: Jim Fehlig <jfehlig@suse.com> --- src/security/security_apparmor.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Jim Fehlig